No, It’s Samsung, Not Swiftkey, That Is To Blame For This Keyboard Security Scare

The media is blowing up right now at a startup called Swiftkey which was named in an announcement at a Black Hat conference about a bug in most Samsung smartphones that could allow hackers to attack the phone and spy on users.

Researchers at cybersecurity firm NowSecure found the a bug in many Samsung smartphones last fall. Although Samsung told NowSecure in March that it had sent wireless carriers a fix which could be transmitted to the phones, and not to go public on it for three months, Samsung did nothing about it. So NowSecure went and bought two new Samsung Galaxy S6’s from Verizon and Sprint and found they were still vulnerable to the security hole. So, what the heck: they went public about it at a hacker conference. Somewhere, there is a Samsung head of security that should be considering their position…

Now, the reason UK startup Swiftkey has been fingered in all this is because the hole is related to how the phone accepts data when updating keyboard software. Swiftkey’s keyboard has been embedded in many Samsung phones because its Artificial Intelligence is astounding at predicting what words you are about to type, thus making typing on a smartphone far easier and faster.

But a lot of the media has got it (mostly) wrong.

Swiftkey is not to blame here and vulnerability is unrelated to SwiftKey’s consumer apps on Google Play and the Apple App Store. So your Swiftkey app has nothing to do with this story.

Yes, it supplies Samsung with the core technology that powers the word predictions in their keyboard.

But TechCrunch understand that the way that Swiftkey’s engine was integrated on Samsung devices introduced the security vulnerability in the first place.

It’s also a very low risk problem. For the bug to expose the phone, a user would have to be connected to a compromised network (such as a spoofed public Wi-Fi network) created for those purposes by a hacker with malicious intentions.

In a statement, Swiftkey told us that even then the access is only possible if the user’s keyboard is “conducting a language update at that specific time, while connected to the compromised network.”

It absolutely does not affect SwiftKey’s app on Google Play or the Apple App Store.

Here’s the bottom-line: our sources have told us that Samsung “screwed up” how they implemented Swiftkey’s SDK into their keyboard. Why? because they crazily gave the keyboard system level permissions.

As NowSecure says:

“It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device. In some cases these applications are run from a privileged context. This is the case with the Swift (sic) keyboard on Samsung… This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root.”

Swiftkey does have one issue though: It used HTTP rather than HTTPS in some aspects of how the keyboard gets updated. This might have protected what appears to be a basic mistake in how Samsung integrated SwiftKey on their devices.

But whether it’s HTTP vs HTTPS is not the main issue here. It’s the system permissions – which is a problem laying firmly in Samsung’s camp.

So what we have here ultimately is what often happens: A big company has a lot of Indians and not enough Chiefs running around blaming each-other, screws up and the startup it worked with gets the blame.